4d1e08339249996a90caac823769323534b5565d6de0484e23dbdd869836c9b7

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe
Size

26KB
MD5

8ce9427690e8c6eb507ebffeb4071bf0
SHA1

3bacb7be67742349caab87276e5d1a5b7b6165b5
SHA256

4d1e08339249996a90caac823769323534b5565d6de0484e23dbdd869836c9b7
SHA512

7c78b70d3bb00c4277591ad9da1a78ca465a8cebf17d914146fd2f3c70e330bde8bffabbf2ff70a935e70bd32e2859d7269f62938f51a090741679bfddacbcd3
SSDEEP

768:qq3G3q83wdv7GLGS1R9TNoINEx9jnhwrJ:Jkq83wdv7GtP

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	Krnl32.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe
2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe"	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinKernel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Krnl32.exe"	Krnl32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\mirc\ \.dcc send $nick	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\pirch98.ini	Krnl32.exe
File opened for modification	C:\Program Files\pirch98\events.ini	Krnl32.exe
File opened for modification	C:\Program Files\mirc\script.ini	Krnl32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\ehmsas.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\loadmxf.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\MediaCenterWebLauncher.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\mcspad.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	Krnl32.exe
File opened for modification	C:\Windows\Boot\PCAT\memtest.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\mcGlidHost.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\McxTask.exe	Krnl32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Krnl32.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SBEServer.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	Krnl32.exe
File opened for modification	C:\Windows\HelpPane.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe	Krnl32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe	Krnl32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7074ee6dd9b3da01	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423376773"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97F2DCC1-1FCC-11EF-A304-E60682B688C9} = "0"	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b47c7481f829da4398a241c00f5880d80000000002000000000010660000000100002000000018cfd1f30a9a7588667972aaec83860c7a1d2b936fa04e449b2b41e3edd8b134000000000e8000000002000020000000d858054f093c8adb470919ee177954655fed37558338a9393fa5bc40abbbe1b720000000a743046721bc70da8cbdec0e80a2e7fe5a1b9c726d108a31a8b03c5a9597eddc40000000d7405086075cac44b9b8aee2f209197de2178eb37c0435812ec475486ddae483e1266a2d15fee7ba13943d67b5be6f8fed44622692b2610da5f5ed8ea11e5d59	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b47c7481f829da4398a241c00f5880d8000000000200000000001066000000010000200000000f95bbbcd20fe6903de9f020ed2eb2a80e5d6951d258718c5c32eb00fad6ffd1000000000e80000000020000200000004b96c30d05bde28dcb08d3c11466057975c6bd864b007f2482934d37cd662bfc90000000260a4732dc37e9f0353c1e07c929e0547093d78da360c0c3dda30ef51989076a0a507fd843973fdbdc84b66fce8ecd9eb9131b26358e618141b553024d8d29e16b978b256a2a1de0415b086c02d24af606d5461a586f5ed1545e2cb3efc54391ce2d51e49dfc9d6d17900fa45b00493cda6b3a7892622c3ead36c6751cb259c0bf529d0286b2859fc7e9720af7f08c0e400000002474149928674d0b2548455f8232ab81efe7ae30490550839a21407e238129ca07e597bc88590ba3ea5cfddab3aae98f387e1a72564f55b71337d5dcbfd3e262	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	Iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	Iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	Iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	Iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2648	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2516	Iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2516	Iexplore.exe
2516	Iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2028	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	28
PID 2152 wrote to memory of 2028	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	28
PID 2152 wrote to memory of 2028	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	28
PID 2152 wrote to memory of 2028	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	28
PID 2152 wrote to memory of 2648	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	29
PID 2152 wrote to memory of 2648	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	29
PID 2152 wrote to memory of 2648	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	29
PID 2152 wrote to memory of 2648	2152	8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe	29
PID 2028 wrote to memory of 2516	2028	Krnl32.exe	30
PID 2028 wrote to memory of 2516	2028	Krnl32.exe	30
PID 2028 wrote to memory of 2516	2028	Krnl32.exe	30
PID 2028 wrote to memory of 2516	2028	Krnl32.exe	30
PID 2516 wrote to memory of 3012	2516	Iexplore.exe	32
PID 2516 wrote to memory of 3012	2516	Iexplore.exe	32
PID 2516 wrote to memory of 3012	2516	Iexplore.exe	32
PID 2516 wrote to memory of 3012	2516	Iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8ce9427690e8c6eb507ebffeb4071bf0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\Krnl32.exe
  "C:\Users\Admin\AppData\Local\Temp\Krnl32.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files\Internet Explorer\Iexplore.exe
    "C:\Program Files\Internet Explorer\Iexplore.exe" http://wwp.icq.com/scripts/WWPMsg.dll?from=M4TrIx&fromemail=_&subject=MATRIX&body=THE%20MATRIX%20HAS%20COME...&to=90015214%20HTTP/1.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3012
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\HELPME.TXT
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
490b37679a4de9adbe740f50e7fb7855

SHA1
0147114cfbbbb15d84dabc46c2b1c03c1c622725

SHA256
51c07c00ee2cd80ad1d0e04bee04fcd954356ebc0892404a79fccd87f12ae5d4

SHA512
b3968b2b90ff3d83bf127704b555229e3f3cae1c3df3cc65594a811346b0002d79d0c1445a9318b735806ed46c9add02fdbcfac6f7634d7e4b9b6c44036986fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16badd235257f3264f04c1fac6584545

SHA1
f4005baac9082926e2891e08dd7094ca2d3258b1

SHA256
220097dc3baa8d61836258d808529cdef13a3f36d0bc94128c8387b0d685b14a

SHA512
a1f8a56548dcba1cbab46a1b99ed7a8b6121619cdbef8047b8d07ab153eb3f93344748fa7b54aa13c5ffef3745c27821f000aa41fff72ec2c1a8437cc3e05b85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f6a5aea20681ede1fc2bc94f46ad88c

SHA1
3631f97547d0b199f9b66b9dfc594180f1ca0ae8

SHA256
559204bb4746c475d8b5c09bee1bd995a8cfe3b1cd699aa7674064ec872f008f

SHA512
7241b3f73739477b5cc6c02e9e4b00f9ff1aec4e74709d78c916f1b6b15d93145b1ef6fc092f508cb852ca294baa53c9a3b65813f3d7d4c6f687528fbdcfc511

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff6316f38d1df306e8c2abbf65347a33

SHA1
182f04697b57d00ae1d53ea830e2ecdd1c28b892

SHA256
391bec99886172de47a955192b0e2c67fbf4e2a8eb17a8ef9b0a94ae8d1f0ec4

SHA512
1bd6c0ca5d745809a3a7e0be16414a247e4a6a6ac8eb2e259e2c4b4922472d01dca62749491e3e8b5d38e1617050e7e5dea72e1701366477ae10b72e619861b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a623447d1f4195625d1a3ef59026fe0

SHA1
9a24149dadff106facb52d7f6d56b7f4658d4c58

SHA256
7d87ccc8def6c57277cf107c3122af07faf97c923615c5de84d71586d71320ec

SHA512
df8bdb6bee41b28eaef596d40a0e6d0994349c5ca56e169545548f2834af45798e28a6b0a7fcb255ee4661c049810c020293950aaf0e5eb3d2720548f806e154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c3384ba7cb49d9b59646a025357a803

SHA1
b084fc7465dcbfa277f48d8b2074f5d207d227e1

SHA256
4c1c66c5a50263c277b67e143c7ff5cd70be54a445bce4c6a036dade4f775b2b

SHA512
1fb6c5f3b510bfad3cc1daa01c5e7add4f2a2538fc3dd188d7562617e7fd3d9d7d5001ed6d90e75284ea24a25223150c690d410aa03e94341cae289359a8b575

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6332735a3748b583fe1db1bed29a077a

SHA1
e09a145f012c06861d098d5b189b41bc85019a83

SHA256
8097a40c0a4d8b72055492babd74a70954b361d2197363c6e583cd19efeccc71

SHA512
82368ca8a2c5f7318f3dbad40d14339323b049603fb0099f5c9f5964c0d5a21f6f2713925010233f2e859658fac7e13b0cbfa5fdcd4e71c24b1a845c231e3c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02d87d7159694380838c9b9362ba194

SHA1
fd0e8b538de63e53f169648036a0834ca7a7b3fa

SHA256
07e2b5b0b6d89c75fce38a9da9932778f648ad38a631a34c0e970cd989d6a1d4

SHA512
c6cdabc41881a8005275b5b22eeb5351e80c86a04296b78f3a6afb070be9a4b4a6401251b424e293be80a84e68cf26165aa72a1da7794233e76065cc231f4dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8e5aded322dc1ce14b77c471b75c9af

SHA1
434ff9807c94d5aa1eab500279ad7903f823ee46

SHA256
746d90418d58ee437e0c3dc05636e74859e652b35ad5ef7fc91b8eff6a00fbe8

SHA512
f5e31be410bedad4eb46f3ec092fdd8eac63a4835f8d2d1fe0f3b6b07db3313d1b39d4b15fadc87443fe7c07e501e6cd0d97aba152ffc1fcb9b7461324e78d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af403ea0f89d239cf82d6b91a6630b17

SHA1
343a11d236dc596205b5d4452fd4da30a1544a90

SHA256
364ea1192f9002103087fe8649d189e6b7d2b012542b4acab358f20adf34e1e1

SHA512
969534876bf4cf4600c900d928e49116cc44e33004bfeb447d65fa5b1395e0d1bcea547b8507e065007b4fc4c4cae4098a23f1a0f9f964620506a04a48913897

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41b8b5ca4a8f0596995812764f6e302d

SHA1
b1f2a617625214a007d272ba065e643a1ca6d5be

SHA256
d2d536f4a5c13f523150d85f29120b6e441f01b250394954ecde1d5185248b67

SHA512
18413100a417653a931899d3218dd6f4257fba5819c4e72e0f3ca3954c1843d42191e52138988c7950ac5dd0a705ba62e0b7316b65f39cfba36c0c22c38f9687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea8daa9fb0bcedf469ec850bd077aea5

SHA1
2c6e3f53d7e84da0b644f8a89baec8e6cd6e1c9f

SHA256
20f0a05ea1c50ea872351b2c158ece1a5ae518f4fe3aa7dacdc620e72a98154c

SHA512
e84cf2b265afa3bda45f8b9fb9f1680a661d63de92f6e9b0167a0e8bffbd7a84fda9d3a047b98a456b6b9191b84ded2b7b4941ef75c9e15105904919270b710c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf3a6282759a35715e4d8ee0284f6a94

SHA1
612e4973ee1bdae8355a4aec403bd3bd06acfffb

SHA256
fef4682f5f3445f3e21a8535de3cfd2b27dcb06ec8f82ff9e9020002f38a36cf

SHA512
587e230d9b72c167441ed750a5a6b2df7ff0158e3527cf4bde9b57abd5423d9175da408d88f4872a24bdb721a5fd970049cdd9546ca12b6e6b97b2169152d3b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72ad9e11f91a3817bf02f232b88f3a51

SHA1
9ae933ece627d27c738699537cb501467dcd7315

SHA256
eda5b1888d77d2b93aaeee634cc4631511f0ca09744392d10c9a3defa19d897b

SHA512
bdc15f78d19aba8fdeec28b73f02fe0fcf738a504538e7987b9ba898fc72227db66fca8c6456c3866f0086f9a5bb2d9336dbc14f87d1a96410d56b8bb96d8388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ae263c870dc1b80a2c3cc58416a5594

SHA1
2a1d59d2d8617583886898615e580f1fc2b32867

SHA256
0792bc80234bad634f1f9548456220e56452960890ae8d00b26e0f256b35e206

SHA512
d53b5152791419ff7cd54d633be3d1915636725b6f31bb71979a1434c03eaecd29df8421b67fd3f4e7c9656d280d85a3f40aab933fc7b61c7c2590b6fc21fbb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90acc33d64e3b3ee24340fc1556be026

SHA1
7cdfbecd3f81744c04cc64abd6383c837cf46641

SHA256
de63bada8cf5f8ef693189ef1e3d85bc9a5931d52a80c88d5db2d42d84a13007

SHA512
1128dec479efef03da275488f4ed64cd73a3417088d22299afa17b828e7ad38ec844f32d78a74672e37c4531c31db20ae7593ae3602908a811d262ce081f0bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd8772ff9aa3932b55b593c04cb85ced

SHA1
37c9e3d0d83f67bbb27854a8652e554e762873f2

SHA256
b58a6a51fefb02e5458e0194d43d3423859011ae2fc7d0a6cfff8ec5bed9a1dc

SHA512
cc9db9966abc713a3679970ec2fba6618f86fce7bf71c164aac928fc16da794b7e5b9cbf793f366583ca6ab16f08e61de89fe3da60ca83a05bee79fff5815b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a18adfaf843558c4b2dd62acae930c9

SHA1
9ee4169111dd2c120662f56bc60fb5cc69b62530

SHA256
b113ff6a96b7c14aad98980fb77cfcf4537d8317edbf46ed3c62ba4feaabb022

SHA512
ab6b42b10b6ab86250d4589f6c1b74b469cfabb4beff3d90008ac9a8fed7f8d5cf1a0a192e4b64b38cc899e1dabd317dacd56276793d2d0df7fd9fcc838ef1ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97edc1437faddf3ee7f3e4624586820

SHA1
2582f9b5090bb802591b45d3cf8c5228ed177599

SHA256
757bd1f20fb44c125f181dc541e12dcb226b107057faa85714b727bf0d2be69a

SHA512
6a6b1664e6139cd0d486054fb8d189e5c497ed65ac2fc8c086d37bde36ae89099afb8cf54ad49c3057871e4e23b6d293321020a3371ae0f402c655cb7f707df3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
100e1194ab085c0d18c8cf2ebeb5b637

SHA1
452f2ffb0e64b9da393cf92bbae71a8da3b32f79

SHA256
c2ca094890ac377ff7398322131cc8965b8263cc83c52bb0d14bd20c7365cac7

SHA512
9b591b788a2257462a3cff8f7c012db22b763152a2b758b6cf462695d752092f8c305b09965562a775668aa71559eda08ad411c46f4216c89b140bfc44582e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d8af18c474410611216af1c225b6de5

SHA1
0f1a9368f85af1794905aff1dadde493356e760c

SHA256
42a914257b6dd6ab2b27d0fca83a8bb858e0379918b1cf7327820d79e326be20

SHA512
7cb944f30527e90a64111a7ed3d5a3157858938536c8044ff84dfdd1238b990fa4877e0f21f58ca70057df392ab9620877669c58c378ec58090efcd46053609e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7e28d39c08f7d63cd555b58f4f0afc24

SHA1
40cbc2b67b8aebf58d92255023a0eb2bd1aae8d5

SHA256
f171b0a3e4044be230ee75d94416285bc43c938e85342b343a18493dcfd0e74e

SHA512
3c7b860c6503692e4f6427c52f01bc9b4a37d7b979e9f4dd37a46bfd5f34f43bb95f3e77f8e8c0303f8a3ec55900cca830345873b2db9edf7f50bd04442456e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

Filesize
4KB

MD5
fc2363cc12c0f8e350e4d41110b83c15

SHA1
767821cde8f5eb0b45023f4475f8bf124aef8f08

SHA256
0e093bc696241bea28826667dec31c63d547c3f4c966fd98d67b73cc13e03797

SHA512
147fa9e59a043a559d39bd74283ebd6ed4b9bd9df984af106a88c27da2dc2e7448d5f3b34873e22ebfe1e3d310d48028b201392c61a6bfe6f13c337fb333088d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OCCPTL4\icon_web_60[1].png

Filesize
4KB

MD5
e9dbf6c742169ea700f8386bf639911b

SHA1
2fce93e1b217283c3d7c8ef275748ad69f840815

SHA256
3ce3371ecd679c4e218474046aa2a2ab067dbac5370b983aa8e7d91b208d816b

SHA512
2809218b84cda633e6c5c2e47d8d65c23c1ea05a88b5ee970c6bc6265223ef6e94f0d30605e1f15601ecdc68700eca299990314468a37109cac87b30c575d234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B1014REI\en[1].htm

Filesize
41KB

MD5
ee39185389dd344b465d52a2b00c24f4

SHA1
6391a8ec25edaf66de92720e113576892e92f149

SHA256
048b8193d25d826641ce4de886572d782f6b97da86e8c4549bc3fd5517ec8085

SHA512
e0897211866962072dfda695de412c58c424fea36787e39944decadd84029b2e9db58ae3107e1660a366e46cb8313bab114a36a0095031b474699fd184be6c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAB3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HELPME.TXT

Filesize
67B

MD5
057798d389930107a381a2690141ac1d

SHA1
e44f1c2475c0f2323507e141dcae53ffef51c624

SHA256
5ba8c75f08589b808a6e16225ea565734aeeb23edc40894174d2d135f5e8d3d2

SHA512
98b40b6a11027974b482cb645718d34c8ee707ad01d6eba05acbf15a3b8d7c762afc08fef6513623fefe6e297d77a838fbb980d944a4a8e864356dfabac473e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krnl32.exe

Filesize
26KB

MD5
9a06be7d9248e4117167515e5b4b64ba

SHA1
6abea02344acb3b19b881aba7f016f935d73ba35

SHA256
32c1a2131ea93f0a74c055e91b0b993ab3b1c3aa2679c879483741fc86d41461

SHA512
11e134098387dfbdf35ec7a6d8f68244e54118e0a11fa64741e6402c319e889b3e985324d0ecfe331ad668837dc78959861615772c2b9a1c13381df07f4f46f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAAB4.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarABA5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2028-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-26-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-617-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-615-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-613-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-1214-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2028-1216-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-16-0x00000000026E0000-0x00000000026F3000-memory.dmp

Filesize
76KB

Download
memory/2152-6-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2152-17-0x00000000026E0000-0x00000000026F3000-memory.dmp

Filesize
76KB

Download
memory/2152-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads